Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a client device or computing system such as a computer, set-top box, or mobile device without the owner's informed consent. Malware can include computer viruses, worms, Trojan horses, rootkits, adware, spyware, botnets or botnet control and command software and any other malicious or unwanted software. The vulnerability of client devices to attack by malware and other intrusion processes such as botnets (often referred to as computer “infections”) is widely acknowledged. Cautious users and system operators will protect their client devices and systems by deploying appropriate security applications including antivirus applications. Security applications will introduce firewalls to defend against intrusion, as well as various engines to detect and eliminate malware including viruses, Trojans, worms, spyware etc.
A device may comprise or represent any device used to communicate with other devices over a wired and/or wireless communication network. Examples of devices that may be used in certain embodiments of the invention, but are not limited to, are wired or wireless devices such as, by way of example only, client devices like computers, mobile telephones, terminals, smart phones, portable computing devices such as lap tops, handheld devices, tablets, net-books, personal digital assistants, and/or server devices such as web servers, databases, servers, proxy servers, and other network devices, entities, or nodes such as base stations, gateways, routers, access points or other devices that are connected to a wired/and/or wireless communication network and used for communication.
A man-in-the-middle (MITM) attack is a form of eavesdropping in which an “attacker” makes independent connections with a user's device and acts as a relay between the device and a trustworthy entity, such as a wireless access point or even another device over a communication network. The attacker can then control or eavesdrop on the user's communication session over the communication network. In these attacks, the attacker may intercept some of the messages into and out of the device, and can inject new false messages into the communication session. This can be particularly straightforward when the attacker is within the reception range of an unencrypted wireless access point.
On an infected device, malware may download malicious software or files that may be used to implement a MITM attack. Configuration files on a device may be modified by malware thereby changing the configuration of the device and thus the behaviour of the device. For example, malware may be used to redirect a user's traffic or packets to a malicious proxy server or other destination allowing an attacker to control or eavesdrop on the user's communication session. An example configuration file that may be tampered with is a proxy auto-config (PAC) file, which defines how web browsers and other user agents on devices can automatically choose the appropriate proxy server (or access method) for fetching a given Uniform Resource Locator (URL).
Recently, MITM attacks have been detected making use of the vulnerabilities of PAC files used by many web browsers on client devices. FIG. 1 illustrates an example of such an attack in communications system 100, which includes a communications network 101 (e.g. the Internet), a device 102, an unauthorised destination device 103 such as a malware domain or an unauthorised proxy server, and a destination device 104 such as a web server. In this scenario, it is assumed that device 102 is infected with malware. Malware on the infected device 102 may download a malicious PAC file to the device. This allows hackers or an attacker to control the PAC file used by web browsers on the device 102. When the device 102 connects to the communications network 101, the web browser then unwittingly uses the malicious PAC file to choose a proxy server such as unauthorised destination device 103 based on the URL rules configured in the PAC file. This means selected web traffic (e.g. bank web traffic) generated by the browser on the device 102 can be redirected to a malicious proxy server or unauthorised destination device 103, which allows the attacker to eavesdrop or manipulate the user's web browser communication session between device 102 and destination device 104. For example, if the destination device 104 is a banking website or webserver, then when the user of device 102 tries to open the banking website, the browser, using a malicious PAC file, may instead connect to the malicious proxy server 103 with all user traffic being routed through the malicious proxy server 103 to the destination device 104 that includes the banking website.
This type of attack is known as a proxy configuration attack. Malicious PAC files are used to redirect/direct or route user traffic or packets to a proxy server that is under the control of hackers or attackers so they get MITM capability on user traffic or packets. Once a device is infected with malware and/or a malicious PAC file, this means the attacker is capable of performing MITM attacks on web sessions in which critical and/or personal data is transmitted such as bank website sessions, online shopping website sessions or any other web session that uses critical or personal data such as passwords, bank details, credit card details, etc. This approach also works against simple host file modifications, Destination Name Server poisoning attacks and other MITM attacks where the host or device is trying to send packet traffic to another host or device and ends up sending the packet traffic somewhere else. However, preventing PAC files from compromising browsers is not a simple task, as client-side and/or server-side security software may not be able to detect whether a change to a given PAC file is actually a valid change or a malicious attack.
There is a desire for efficiently detecting and identifying user traffic or packets generated by devices being redirected based on malicious or unauthorised destinations and preventing redirection of the packets.